Plesk 9.3 Spam Filter Settings Hung or over an hour

[KrazyBob]

The hour glass just spins. If I stop and restart PSA the same results. It is in a container that isn't generally a problem. but I've given it more memory. Still no change. There is a KB article but it is for the this occurring after upgrading to 9.5, which I won't do. I've heard of too many problems afterwards.

Any help will be humbly accepted. I've goggled and searched here with no results.

[faris]

Can you try to see what's actually happening when this is hanging?
It might be something secondary. For example sa might be trying to expire bayes tokens, or I don't know what, which Plesk patiently waits to complete but never does (or keeps getting restarted).

Try using top (press "c" to see the full commands running) and maybe also ps and keep and eye on what's happening.

[KrazyBob]

Hi Faris,

Thanks for the reply. By default I use top -c and ps -ef or ps auxf. I don't see anything happening at all. It just hangs and the load goes up. I left it spinning for well over an hour. I finally issued a service psa restart from the shell. Once PSA had restarted I issued a

Code: Select all

/usr/bin/spamassassin --update-server -max-proc 4

and all it did was return a help screen. Oddly enough the command comes directly from the Parallels Plesk Panel 9.3 for Linux/Unix: Command Line Reference.

This server is a dedicated one that the customer has somewhat ignored because he generally moves his customers to Gmail, which I appreciate. It cuts down wear and tear. But not in this case. There are tens of thousands of messages stacked up and I have no way of dumping all of the messages unless I go all Rambo and and delete the directory tree beginning at /var/qmail/queue/info/. I am concerned that doing so will fubar Plesk mail. Plesk will slowly rebuild the directory tree. Here's the script that I use:

Code: Select all

#!/bin/bash
echo "Stopping Qmail"
/etc/init.d/qmail stop
echo "Clearing the Mail Queue"
cd /var/qmail/queue/info
rm -rf 0/*
rm -rf 1/*
rm -rf 2/*
rm -rf 3/*
rm -rf 4/*
rm -rf 5/*
rm -rf 6/*
rm -rf 7/*
rm -rf 8/*
rm -rf 9/*
rm -rf 10/*
rm -rf 11/*
rm -rf 12/*
rm -rf 13/*
rm -rf 14/*
rm -rf 15/*
rm -rf 16/*
rm -rf 17/*
rm -rf 18/*
rm -rf 19/*
rm -rf 20/*
rm -rf 21/*
rm -rf 22/*

echo "Info folder clean, clearing mess folder"

cd /var/qmail/queue/mess

rm -rf 0/*
rm -rf 1/*
rm -rf 2/*
rm -rf 3/*
rm -rf 4/*
rm -rf 5/*
rm -rf 6/*
rm -rf 7/*
rm -rf 8/*
rm -rf 9/*
rm -rf 10/*
rm -rf 11/*
rm -rf 12/*
rm -rf 13/*
rm -rf 14/*
rm -rf 15/*
rm -rf 16/*
rm -rf 17/*
rm -rf 18/*
rm -rf 19/*
rm -rf 20/*
rm -rf 21/*
rm -rf 22/*

echo "Mess folder clean, clearing remote folder"

cd /var/qmail/queue/remote

rm -rf 0/*
rm -rf 1/*
rm -rf 2/*
rm -rf 3/*
rm -rf 4/*
rm -rf 5/*
rm -rf 6/*
rm -rf 7/*
rm -rf 8/*
rm -rf 9/*
rm -rf 10/*
rm -rf 11/*
rm -rf 12/*
rm -rf 13/*
rm -rf 14/*
rm -rf 15/*
rm -rf 16/*
rm -rf 17/*
rm -rf 18/*
rm -rf 19/*
rm -rf 20/*
rm -rf 21/*
rm -rf 22/*

echo "Remote folder clean, clearing intd folder"

cd /var/qmail/queue/intd

rm -rf 0/*
rm -rf 1/*
rm -rf 2/*
rm -rf 3/*
rm -rf 4/*
rm -rf 5/*
rm -rf 6/*
rm -rf 7/*
rm -rf 8/*
rm -rf 9/*
rm -rf 10/*
rm -rf 11/*
rm -rf 12/*
rm -rf 13/*
rm -rf 14/*
rm -rf 15/*
rm -rf 16/*
rm -rf 17/*
rm -rf 18/*
rm -rf 19/*
rm -rf 20/*
rm -rf 21/*
rm -rf 22/*

echo "Intd folder clean, clearing local folder"

cd /var/qmail/queue/local

rm -rf 0/*
rm -rf 1/*
rm -rf 2/*
rm -rf 3/*
rm -rf 4/*
rm -rf 5/*
rm -rf 6/*
rm -rf 7/*
rm -rf 8/*
rm -rf 9/*
rm -rf 10/*
rm -rf 11/*
rm -rf 12/*
rm -rf 13/*
rm -rf 14/*
rm -rf 15/*
rm -rf 16/*
rm -rf 17/*
rm -rf 18/*
rm -rf 19/*
rm -rf 20/*
rm -rf 21/*
rm -rf 22/*

echo "Local folder clean, clearing todo folder"

cd /var/qmail/queue/todo

rm -rf 0/*
rm -rf 1/*
rm -rf 2/*
rm -rf 3/*
rm -rf 4/*
rm -rf 5/*
rm -rf 6/*
rm -rf 7/*
rm -rf 8/*
rm -rf 9/*
rm -rf 10/*
rm -rf 11/*
rm -rf 12/*
rm -rf 13/*
rm -rf 14/*
rm -rf 15/*
rm -rf 16/*
rm -rf 17/*
rm -rf 18/*
rm -rf 19/*
rm -rf 20/*
rm -rf 21/*
rm -rf 22/*

echo "Mail queue cleaned"
echo "Restarting Qmail Now"
/etc/init.d/qmail start
echo "Qmail Started"
echo "Done!"

[faris]

There are tens of thousands of messages stacked up

In the local or remote queue?

Remember that you can kill everything (local and remote), cleanly, using qmhandle with a single command: qmhandle.pl -D

[KrazyBob]

qmHandle is the obvious first choice but the load was so high that I could not get a good start. I don't like doing these things during the day but at night time I've got cron's running that pump up the load. qmHandle is clicking one delete after another now. I also was able to activate the SBL/RBL. We'll see after I clear all of the emails out if I can get the spam filter setting page to complete.

[KrazyBob]

It has been over 24 hours and qmHandle is still purging the records. qmailclear.sh takes 5 minutes but has to build an array. Clearly the array would run out of bounds through the rm command. I don't have a clue where so many messages are coming from. My guess is that there were several accounts that were over limit and requeueing? I don't know. Again and suggestions.

[scott]

smtp_auth maybe?

[KrazyBob]

In what way? SMTP_AUTH is enabled on all servers and port 587 utilized.

[scott]

compromised account

[KrazyBob]

We found all of these files scattered on the server. Gootkit.

Code: Select all

----------  1 nobody     nobody  62914 Sep  4 18:52 bedote.pl
----------  1 nobody     nobody  62914 Sep  4 14:59 bunion.pl
----------  1 nobody     nobody  62914 Sep  4 17:47 dicatalexis.pl
----------  1 nobody     nobody  62911 Sep  8 16:57 ecchondrosis.pl
----------  1 nobody     nobody  62914 Sep  2 12:31 fluoridize.pl
----------  1 nobody     nobody  62914 Sep  6 11:12 fraudfully.pl
----------  1 nobody     nobody  62914 Aug 31 14:58 guttiferous.pl
----------  1 nobody     nobody  62914 Sep  2 16:30 harassness.pl
----------  1 nobody     nobody  62914 Sep  2 06:41 hardboil.pl
----------  1 nobody     nobody  62914 Sep  5 05:14 highflying.pl
----------  1 nobody     nobody  62914 Aug 30 14:39 hymenophorum.pl
----------  1 nobody     nobody  62911 Sep  7 09:24 ingotman.pl
----------  1 nobody     nobody  62911 Sep  8 18:46 kefirs.pl
----------  1 nobody     nobody  62914 Sep  2 06:43 litigious.pl
----------  1 nobody     nobody  62914 Aug 30 13:46 nonabstemious.pl
----------  1 nobody     nobody  62911 Sep  7 09:26 predebtor.pl
----------  1 nobody     nobody  62914 Aug 29 16:06 rashly.pl
----------  1 nobody     nobody  62914 Sep  2 15:13 roughs.pl
----------  1 nobody     nobody  62911 Sep  8 14:25 shoreyer.pl
----------  1 nobody     nobody  62914 Sep  2 17:06 soiling.pl
----------  1 nobody     nobody  62911 Sep  8 16:10 tipful.pl
----------  1 nobody     nobody  62914 Aug 30 22:53 unfight.pl
----------  1 nobody     nobody  62914 Sep  3 14:30 unrancored.pl
----------  1 nobody     nobody  62914 Sep  3 22:23 weaponshaw.pl

They have been moved and isolated.

[faris]

How did you locate them?

[KrazyBob]

By looking for a key phrase in a gootkit exploit. I have a GootKit finder that I obtained but it did not locate these. Right now I am getting a clean backup and then I will turn mail back on. Then I'll know that I got all of them. After 36 hours of running qmHandle it went to the end of the 23's (mail queue) and then started over at 1. I caught it again at 3 and realized that the problem was still there.

The script I posted above won't work if there are too many files. Apparently rm builds an array before deletion and it would go out of boundary. I suppose that I could have manually deleted the queues with wsFTP. Qmail rebuilds the queues if missing.

I have ordered a bunch of new drives and will be rebuilding 5 servers to Virtuozzo 4.7, Centos 6.x and Plesk 11.x. Then I can apply ASL and hopefully get a full nights sleep. Even with mod_sec these damn exploits come in.